Five Critical Skills for the Modern Day CISO

The role of chief information security officer (CISO) has been elevated within organisations in recent years.

Surging cyber threats, alongside trends like increased digitisation and remote working, have made cybersecurity front of mind of business leaders and governments, placing cybersecurity leaders under the spotlight.

This recognition provides opportunities to boost the status and funding for cybersecurity teams, but also presents new responsibilities and pressures on CISOs. This requires the development of a range of new skills, far beyond technical knowledge.

This includes the ability to ‘manage up’ to business leaders and drive cybersecurity awareness across the wider organisation.

Additionally, a plethora of global cybersecurity and data protection laws in recent years have added to the compliance burden for security leaders.

All of this is taking place amid an enormous cyber skills crisis, with ISC2 finding that the global cybersecurity workforce gap has reached four million people.

Passion for Learning

The rapid development of transformative technologies, from generative AI to quantum computing, offers both opportunities and risks in cybersecurity. Therefore, it is vital that security leaders stay up to date in their knowledge of the technology landscape and the threats that may be evolving alongside these developments.

This is in addition to a deep understanding of existing legacy and operational tech platforms used within the organisation.

It is also vital for CISOs to stay abreast of the latest concepts in cybersecurity.

These insights are critical for forward planning the organization’s cybersecurity strategy, putting the right investments in place and developing the necessary skills for the future.

Retaining a high level of knowledge of technology developments is not easy, given the time pressures on security teams. Therefore, CISOs need support from the business to fund and allow the time to attend courses and conferences, like Infosecurity Europe, throughout the year to be able to continuously learn.

Team Management

Amid the cyber skills gap and growing pressures on security teams, issues like stress and burnout have become prevalent, including among CISOs.

This in turn has led to a high rate of turnover in cybersecurity roles, with many professionals considering leaving the sector altogether.

In this environment, CISOs have to utilise their resources in the smartest possible way to reduce the burden on cyber professionals and manage their team in an efficient way.

In an interview with Infosecurity Magazine in 2023, Erhan Temurkan, Director of Security and Technology at Fleet Mortgages, highlighted how technologies like AI can reduce workloads, while also making work more fun for employees by reducing the more mundane tasks.

He also advocated rotating shift patterns and tasks for personnel, to make their role more varied.

In a highly competitive cybersecurity jobs market, retention is an increasing challenge for CISOs. Providing personalised training and development opportunities is vital for keeping employees motivated and happy in their current teams.

Business Knowledge and Understanding 

As well as understanding the technical components of cybersecurity, it is vital that CISOs have an in-depth understanding of the business they work in.

With such a wide tech stack to protect and often limited resources to play with, risk management has become a key part of cybersecurity strategy. Prioritising the protection of systems and data according to the needs of the business is a must.

This includes in vulnerability management, to prioritise patching those flaws that pose the biggest threat to the business.

There are a variety of ways CISOs can garner such an understanding. One is taking formal business education and courses.

Another interesting development is the emerging role of business information security officers (BISOs), who help translate the needs of the business in a cybersecurity context.

Speaking on a webinar during the Infosecurity Magazine Spring Online Summit 2024, Heather Lowrie, CISO at The University of Manchester explained that BISOs essentially act as a bridge between the cybersecurity function and business areas.

“Being able to translate and act as that cultural mediator is a really interesting development in our industry and I’m keen to see more BISOs in organisations,” said Lowrie.

Networking and Relationship Building

It has become clear that cybersecurity is now far from solely the domain of IT teams. Verizon’s 2024 Data Breach Investigations Report (DBIR) found that 68% of all breaches involved a non-malicious human element, such as falling victim to a phishing attack.

Reducing this risk among the wider workforce is critical. It is important that security leaders take the time to speak to people throughout the organisation to understand their role. This will help them develop appropriate security controls that are effective.

Speaking at the Infosecurity Magazine Online Summit event, Lianne Potter, Head of SecOps at Asda, explained: “It’s about talking to people and understanding what people’s motivations are because quite often we put security controls in place and it prevents them from doing work as frictionless as possible. Then they do work arounds which are often more unsecure than the thing we’re trying to prevent in the first place.”

Security leaders will also need to coordinate closely with other departments in the event of a cybersecurity incident, such as HR and legal. Regular exercises should be conducted to practice how responses are coordinated.

Outside of the organisation, the growing prevalence of third-party cyber-incidents necessitates closer monitoring and understanding of vendors’ security practices. CISOs should ensure they are working closely with counterparts in suppliers to ensure they are not providing an easy backdoor into their organisation’s systems and data.

Collaboration skill that is increasingly recognised by security leaders. Research by F-Secure in 2021 found that two-thirds of CISOs said they understood the growing importance of emotional intelligence in enabling them to understand, empathise and negotiate with people both inside and outside of their organisation.

Communication

CISO is the breadwinner for the department – obtaining the largest possible budget from the business and must be able to communicate clearly how that budget is to be allocated and if an increase is required.

CISOs must be able to explain cyber risks, and the work of the security team, to the board and C-suite. This means having a clear message that can be communicated to a non-technical audience.

They must understand fundamental business concepts and be able to communicate in a language that executives will understand and pay attention to. For example, how cyber-attacks can impact business bottom lines, such as market share and loss of reputation.

This information should be presented in a manner business leaders are used to – concise points that highlight important statistics. If the boardroom properly understands how cyber incidents can damage business goals, and the important work of the security team in preventing this, they will be much more likely to provide more support to the CISO, financially and otherwise.

CISOs now face the challenge of balancing strategic leadership, navigating a complex regulatory landscape, and mitigating ever-evolving cyber threats, all during a critical talent shortage.

The core skills listed here provide a guide to some of the attributes needed to tackle the challenges CISOs face in today’s cybersecurity world.  

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?